EAP-TLS and EAP-Identity

Alan DeKok aland at deployingradius.com
Fri May 27 21:28:13 UTC 2022 

On May 27, 2022, at 5:14 PM, David Weidenkopf <david+freeradius at weidenkopf.com> wrote:
> I am trying to understand EAP-TLS configuration. RFC3748 seems to indicate that the identity response can be empty. This makes sense for EAP-TLS, since it is using certificates, so maybe the identity is not useful in that case. I am aware of RFC5080 and it seems to discuss the conflicting requirements around this. 

  There's also RFC 2716, RFC 5216, and RFC 9190.

  The server can send an EAP-Request / Identity packet with no data.  This indicates that the supplicant should respond with an EAP-Response / Identity packet, with an actual identity.

  RFC 3748 Section 5.1 says:

      If the Identity is unknown, the
      Identity Response field should be zero bytes in length.

  But... that's stupid.  I don't know of any RADIUS server which allows empty identities.

> However, from looking at what I could find on this list about EAP-TLS configuration, is that the supplicant (wpa_supplicant in this case) is broken if it does not provide an identity.

  Yes.

> We control the supplicant and are only trying to integrate with customers using 8021X with WPA. We don't control their configuration. We have one that insists the identity should be able to be blank. 

  If the supplicant sends an EAP-Response / Identity with no identity, then FreeRADIUS will reject it.

  To be perfectly frank, it's idiotic for a supplicant to send an empty identity.  It means that proxying won't work, and a host of other things won't work.

  e.g. What should be put into the User-Name field?  How will you probably do accounting for that user?

  While the RFCs don't explicitly forbid empty identities RFC 3748 is old, and they permit a whole lot of idiocy.  Simply by not forbidding it.  Newer RFCs are much more carefully written.

> My interest here is we use freeradius for testing our system. Is there a configuration for EAP-TLS that supports a blank or empty Identity?

  No.  It's hard-coded into the server.  An empty identity will always cause Access-Reject.

> I appreciate any wisdom anyone can share regarding this.

  There's no wisdom.  Only understanding gained through years of pain and suffering.  :(

  Alan DeKok.

More information about the Freeradius-Users mailing list